From 317fa6046741b3304f2f694bcce07c2faa2354de Mon Sep 17 00:00:00 2001
From: Dmitry Kasatkin <d.kasatkin@samsung.com>
Date: Fri, 24 Jan 2014 15:05:34 +0200
Subject: [PATCH] Do use x509 by default

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
---
 README       | 23 +++++++++++------------
 src/evmctl.c | 10 +++++-----
 src/libevm.c |  3 ++-
 3 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/README b/README
index 3e8d1df..4a454f9 100644
--- a/README
+++ b/README
@@ -19,9 +19,8 @@ it is necessary to provide '--uuid' or '-u' parameter to the 'sign' command.
 UUID can be provided on command line in form of '-uUUID' or '--uuid=UUID'.
 
 Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
-support for verifying digital signatures. The new command line parameter
-'-x' or '--x509' was added to the evmctl to enable using of X509 certificates
-and new signature format.
+support for verifying digital signatures. This version uses x509 format by default.
+Use '--rsa' or '-1' parameter to use old signature format and API.
 
 
 Key generation
@@ -98,11 +97,11 @@ Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
 
     # import IMA public key
     ima_id=`keyctl newring _ima @u`
-    evmctl import /etc/keys/pubkey_evm.pem $ima_id
+    evmctl --rsa import /etc/keys/pubkey_evm.pem $ima_id
 
     # import EVM public key
     evm_id=`keyctl newring _evm @u`
-    evmctl import /etc/keys/pubkey_evm.pem $evm_id
+    evmctl --rsa import /etc/keys/pubkey_evm.pem $evm_id
 
     # enable EVM
     echo "1" > /sys/kernel/security/evm
@@ -110,8 +109,8 @@ Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
 
 Import X509 certificate into the kernel keyring (since kernel 3.9?)
 
-    $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
-    $ evmctl -x import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
+    $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
+    $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
 
 
 Signing
@@ -121,24 +120,24 @@ Default public key: /etc/keys/pubkey_evm.pem
 Default private key: /etc/keys/privkey_evm.pem
 Default X509 certificate: /etc/keys/x509_evm.der
 
-Signing for using X509 certificates is done using '-x' or '--x509' parameter.
+Signing for using old RSA format is done using '-1' or '--rsa' parameter.
 Signing for using new the EVM HMAC format is done using '-u' or '--uuid' parameter.
 
 Sign file with EVM signature and use hash value for IMA - common case
 
-    $ evmctl sign [-u] [-x] --imahash test.txt
+    $ evmctl sign [-u] [-1] --imahash test.txt
 
 Sign file with both IMA and EVM signatures - for immutable files
 
-    $ evmctl sign [-u] [-x] --imasig test.txt
+    $ evmctl sign [-u] [-1] --imasig test.txt
 
 Sign file with IMA signature - for immutable files
 
-    $ evmctl ima_sign [-x] test.txt
+    $ evmctl ima_sign [-1] test.txt
 
 Label whole filesystem with EVM signatures
 
-    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-x] --imahash '{}' \;
+    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-1] --imahash '{}' \;
 
 Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
 
diff --git a/src/evmctl.c b/src/evmctl.c
index 7c7e09c..9cba307 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1510,7 +1510,7 @@ static void usage(void)
 		"  -d, --imahash      also make IMA hash\n"
 		"  -f, --sigfile      store IMA signature in .sig file instead of xattr\n"
 		"  -m, --modsig       store module signature in .sig file instead of xattr\n"
-		"  -x, --x509         signing key is in x509 DER format (signing v2 for using asymmetric keys)\n"
+		"  -1, --rsa          signing key is in RSA DER format (signing v1)\n"
 		"  -k, --key          path to signing key (default keys are /etc/keys/{privkey,pubkey}_evm.pem)\n"
 		"  -p, --pass         password for encrypted signing key\n"
 		"  -u, --uuid         use file system UUID in HMAC calculation (EVM v2)\n"
@@ -1526,7 +1526,7 @@ static void usage(void)
 
 struct command cmds[] = {
 	{"help", cmd_help, 0, "<command>"},
-	{"import", cmd_import, 0, "[--x509] pubkey keyring", "Import public key into the keyring.\n"},
+	{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
 	{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
 	{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
 	{"ima_sign", cmd_sign_ima, 0, "[--sigfile | --modsig] [--key key] [--pass password] file", "Make file content signature.\n"},
@@ -1549,7 +1549,7 @@ static struct option opts[] = {
 	{"sigfile", 0, 0, 'f'},
 	{"modsig", 0, 0, 'm'},
 	{"uuid", 2, 0, 'u'},
-	{"x509", 0, 0, 'x'},
+	{"rsa", 0, 0, '1'},
 	{"key", 1, 0, 'k'},
 	{"type", 1, 0, 't'},
 	{"recursive", 0, 0, 'r'},
@@ -1606,8 +1606,8 @@ int main(int argc, char *argv[])
 		case 'u':
 			uuid_str = optarg ?: "-";
 			break;
-		case 'x':
-			params.x509 = 1;
+		case '1':
+			params.x509 = 0;
 			break;
 		case 'k':
 			params.keyfile = optarg;
diff --git a/src/libevm.c b/src/libevm.c
index 0c41736..ed70354 100644
--- a/src/libevm.c
+++ b/src/libevm.c
@@ -98,7 +98,8 @@ const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST] = {
 
 struct libevm_params params = {
 	.verbose = LOG_INFO - 1,
-	.hash_algo = "sha1"
+	.hash_algo = "sha1",
+	.x509 = 1,
 };
 
 void do_dump(FILE *fp, const void *ptr, int len, bool cr)